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ABSTRACT 



A method and apparatus is presented for establishing prov- 
able integrity or untampered state in secure devices. It 
employs active tamper response; generating authentication 
secrets inside the device via real hardware randomness to 
minimize risk of compromised factory machines; activating 
tamper response at a trusted point of trust to protect against 
attacks and/or continually certify the integrity of the device 
along shipping channels and at user sites; and allowing for 
all keys to be regenerated so that in accordance with sound 
cryptographic practice no one needs to depend on permanent 
keys. The point of trust is a central authority that is trusted 
by all parties that need to trust the provable untampered state 
of the secure device. At any point the certifying authority 
authenticates the integrity and/or untampered state of the 
device, and re-issucs a new certificate for that device. 
Alternate embodiments enable the device to be shipped 
without its tamper-response enabled, and/or to re-initializc 
and certify devices that have been erased or zeroized. 
Particular methods are used to restrict access of the device's 
central private key only to trustworthy code in the device. 
This invention minimizes the parties that one must trust in 
order to trust in the alleged integrity and/or untampered state 
of a device, while providing disaster protection with sim- 
plicity of device shipping, use and installation. 

34 Claims, 7 Drawing Sheets 
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ESTABLISHING AND EMPLOYING THE 
PROVABLE UNTAMPERED STATE OF A 
DEYICE 

CROSS REFERENCES 

The present application is related to the following appli- 
cations even dated herewith:, entitled, "Securely Download- 
ing and Executing Code From Mutually Suspicious 
Authorities", by inventors S. W. Smith ct al., assigned Scr. 
No. 08,920,814 with a filing date of Aug. 29, 1997; entitled, 
"Hardware Access Control Locking", by inventors T. A. 
Caftno ct al.; and, entitled, "Authentication for Secure 
Devices With Limited Cryptography", by inventors M. S. 
Matyaset al., assigned Ser. No. 08,921,442 with a filing date 
of Aug. 29, 1997, which are incorporated herein by refer- 
ence. 

FIELD OF THE INVENTION 

The present invention is directed to the field of security. 
It is more specifically directed to the security of data in a 
device. 

BACKGROUND OF THE INVENTION 

Scientists continue to strive to find ways to monitor and/or 
maintain the security level of a process, processor, copro- 
cessor or processing element. It is recognized that 
heretofore, a computational device was considered lo be 
secure if it was armored with physical packaging to prevent 
any access to the internal data and circuits, except via the 
official interface. The technology and effectiveness of this 
physical armor varies considerably. All secure devices, by 
definition, purport to have passive tamper-resistance. Some 
use more advanced techniques in order to also attempt to be 
tamper-responsive. A device is said to be tamper-responsive 
if it provided with a means for actively detecting tamper or 
penetration, and has the capability of responding by zeroiz- 
ing and/or erasing sensitive data it contains before it can be 
observed. An example of a low-end secure device is a simple 
smart card. The smart card offers limited computational 
ability and limited, passive physical security. An example of 
a high-end secure device is a cryptographic server adapter, 
with active tamper response. 

Generally, applications that require secure devices depend 
on the physical security of these devices. If tbey did not, the 
additional expense of physical security is usually not justi- 
fiable. Physical security is necessary if someone potentially 
with direct access to the device might be motivated to attack 
it. Such potential adversaries includes anyone with physical 
access. This includes personnel at the factory, along the 
shipping channel, at retailers and warehouses, and the often 
overlooked user site. 

For example, consider a simple electronic wallet. In this 
situation, cash is simply a value in a register in the copro- 
cessor resident in the electronic wallet. If a user manages to 
run their wallet program on hardware which is susceptible to 
tamper by that user, then that user has effectively created a 
bottomless wallet This compromises the security of the 
entire distributed application. 

A bona fide, untampered secure device needs a method by 
which it can prove that it is untampered and in a state of 
continued integrity, this is herein referred to as an untam- 
pered stale method. This has some primary constraints 
and/or requirements. To begin with, this method needs to be 
computational, not physical. It is realized that a tampered 
device might look jusl like an untampered one. With current 
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commercially viable physical security technology, physical 
inspection of a device does not suffice to determine if the 
device has been tampered with by an attacker with at least 
moderate skills. Without such an untampered state method, 

5 a tampered device can appear to carry out its application 
identically to an untampered one. 

As used herein the term device includes a processor, a 
coprocessor, processing clement and/or computational appa- 
ratus. The terms erase and/or zeroize as used herein rcpre- 

10 sent any means of disabling the readabihy and/or retrieval of 
the secrets contained in the device. The terms integrity and 
untampered state are used interchangeably herein. 

An useful untampered state assuredness method, or 
untampered state method, should employ a technology that 

15 provides physical security that also shields a device's inter- 
nal data, programs, and circuits from any direct examination 
by the user. Otherwise, an adversary who is able to tamper 
with a device that performs cryptographic functions, can 
modify the key generation algorithms. The so tampered 

20 device appears to work normally, while the adversary learns 
and makes use of each key. 

In many applications, the program running on such an 
untamperable device needs to computationally build on this 

25 provable untampered state. For example, the electronic 
wallet program cited above needs not just to run on an 
untampered device, but also to be able to convince remote 
agents that it is indeed running on such a device. Thus, 
untampered stale assuredness method must enable an untam- 

5D pcrcd authentic device to distinguish itself from a device that 
has been modified (say, to install a backdoor or to disable 
tamper response); and to distinguish itself from a software/ 
hardware clone that may have been constructed after 
destructive analysis of several real devices. 

35 Some chip-card techniques used heretofore employ the 
idea of installing a permanent key pair in a device that is 
merely tamper-resistant. However, these techniques do not 
address the problem of providing the provable untampered 
state to third parties in potentially hostile user environments 

40 and in an application-available way. Furthermore, tamper- 
responsive hardware standards do not adequately address 
this problem. 

SUMMARY OF THE INVENTION 

45 The present invention provides a method and apparatus to 
fully address the suite of problems related to provable 
untampered state assuredness in secure devices. It includes 
using active tamper response, generating authentication 
secrets inside the device via real hardware randomness to 

50 minimize risk of compromised factory machines, activating 
tamper response at a point of trust (certifying authority) to 
protect against attacks, and/or continually certifying the 
untampered state of the device along shipping channels and 
at user sites, and/or allowing for all keys to be regenerated 

55 so that in accordance with sound cryptographic practice 
there is no need to depend on permanent keys. 

One aspect of the present invention provides a device 
having a certifying authority trusted by a user family which 
includes the device. The certifying authority (often (he 

60 device manufacturer) has an authority private key. The 
device comprises a memory and a tamper circuit responsive 
to a tampering phenomenon and capable of being enabled by 
the certifying authority to respond to a tamper condition. A 
key pair generator 103 generates a key pair for the device. 

65 The key pair includes a device private key and a device 
public key. The key pair generator 103 is capable of export- 
ing the device public key to the certifying authority such that 
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Ibe certifying authority performs a verification that the device. The third party uses standard cryptology protocols to 

device public key emerged from the device, and signs a first verify that the device knows the private key matching a 

certificate with the authority private key. The first certificate particular public key. This is done by obtaining from the 

includes the device public key and at least one identifying device its latest external certificate (first certificate, or its 

property of the device. The authority issues the first certifi- 5 replacement) and any subsequent transition certificates, by 

cate which becomes available to a third party for use in verifying the correct signing and formation of these 

establishing that the device is in an untampered state. In an certificates, and by verifying that these certificates attest to 

embodiment, the device further comprises a zeroizing circuit lhe bUc k me device aUegedly owned . AlsGf using 

capable of erasing a portion of the memory upon the tamper standard cryptographjc lechniques , th e process of successful 

circuit detecting an occurrence of the tampering 1Q verification of untampe redness is then useable to prove that 

phenomenon, and/or the memory includes all non-volatile a particular meSS age came from that device, 

memory in the device, and/or the key pair is generated using , n ^ embodiments the devioe has al least two ^ of 

an mtemal source of no n-detcrmimstic randomness. . -rt. .u c . - c . / ■. 1 ^ 
, , _ a . . certificates. These are the first certificate (or its replacement) 
Another aspect of the invention is a device havmg a signed by lhe external authority, and a chain of zero or more 
memory which mcludes data required to be erased upon a 15 msSjjQn ceruficales attesli to regeneral i 0 ns since the last 
tampering attempL The device mcludes a tamper responsive reC eriification. Thus at a minimum, these are avail- 
circuit havmg an enabling capability a certifying authority, aW( , (he ^ exteraa lly generated certificate, and all subse- 
an initialization circuit wherem the ccrtifymg authority cenificateSi 

enables the tamper responsive circuit using the enabling , , , . . . r 

capability, a first key pair generator for generating a public 20 Another of the P resen ' 1Dventl0n ,s ! he p / 0Cess ° f 

key made available to a polity of third party users and for generating a keypair with, n a device, exporting the public 

generating a private key retained in the memory, a certifi- te * and sm PPmg the device wth tam P er P rotectl0n eoabled - 

cation circuit for exporting the public key to the certifying BRIEF DESCRIPTION OF THE DRAWINGS 
authority via the ordinary outgoing communication channel 

This is such as to enable the certifying authority to verify the , 5 Tbese and other ob J ect ^ features, and advantages of the 
public key, certify that the public key emerged from the P reseot tendon will become apparent upon further con- 
device, and certify that the device is untampered. In some sideration of the following detailed description of the inven- 
embodiments, the device further includes a key pair regen- ,ioD when read in conjunction with the drawing figures, in 
erator for forming a new key pair upon an occurrence of a which: 

predetermined event, and/or a recertifier for exporting the 30 FIG. 1(a) shows an embodiment of an apparatus in 

new public key to the certifying authority such as to enable accordance with the present invention, 

the certifying authority to verify the new public key and FIG. 1(b) shows a flow diagram of an implementation of 

certify that the new public key emerged from the device and initial device certification in accordance with the present 

that the device is untampered, and/or a re-initialization invention; 

circuit for reinitializing the device to an operative state 35 FIG. 2 shows a flow diagram of a scenario to implement 

following the device being zeroized in response to the a regeneration of the device keypair in accordance with the 

tampering event, and/or a memory disaster protection circuit present invention; 

for stopping an attacker from impersonating the device. FIG. 3 shows a flow diagram of a scenario for imple- 

A critical aspect here is that the certifier know which menting a proof of the untampered state in accordance with 

device the new public key came from. That is, that it came 40 the present invention; 

from the device which had previously been certified to have FIG 4 shows an implementation of a scenario for per- 
son* other public key. Also, if the device regenerates its forming rcccrtification in thc Fick ] in accordance with the 
keypair, then the device itself will produce a "Transition prcscQl j nvcntion; 

Certificate", signed with the device's old private key, attest- 5 shows a flQW d{ Qf a fof recerti ^ 

ing to the change to the new pubhc key. Such "internal 4S device * regeneration of the certificate 

recertificauon' can occur arbitrarily many times (limited m ^ accordanc £ ^ thc invcntion 

only by policy) before external recertincation occurs. „,„ ^ . , *, , 

„.„ . - . . t . . FIG. 6 shows the various scenarios a device might pass 

Still another aspect of the present invention is a method . . ., . * v 

for a certifying authority to certify an untampered state ,nrougD 10 1X5 melime - 

and/or untampered state assuredness of a device. The 50 DETAILED DESCRIPTION OF THE 

method comprises enabling a tamper-responsive circuit in INVENTION 
the device, generating a device first key pair including a first 

ui' 1 fu . . t .t- fi„. The present invention provides a method and apparatus to 

public key that matches a first private key, storing the first ... Y. . j . KK 

- . 1/ .1,- a^,-^ 1, niil m ,„ ; n ~i,„u .hi n f fully address the suite of problems related to the provable 

private key in the device. It also may include the steps 01 i , . r , . _ . . \ . . 

exporting the first public key to at least one third party, 55 pampered slate of secure devices. The invenuon includes 

verifying that the firct public key originates from the device lhe ^ and a PP aratus for: 

and thai the device is in the untampered stale, verifying that usin S actlve tam P er response; 

the device knows the first private key that matches the first generating authentication secrets inside the device via real 

public key and the device is untampered, and forming a hardware randomness to minimize risk of compro- 

device certificate which certifies the verification of the 60 miscd factory machines; 

device. activating tamper response al a trusted point of trust to 
In some embodiments, the method further comprises the protect against attacks and/or continually certify the 
step of ensuring that the device certificate is available to a untampered state assuredness of the device along ship- 
user to whom the device wishes to be authenticated, and/or ping channels and at user sites; and 
the step of the device authenticating that the certificate came 65 allowing for all keys to be regenerated, so that in accor- 
from the certifying authority. This is sometimes followed dance with sound cryptographic practice no one needs 
with a third party verifying the untampered state of the to depend on permanent keys. 



11/10/2003, EAST Version: 1.4.1 



us 6,2: 

5 

The particular usage of the point of trust is an important 
aspeci of this invention. The point of trust becomes a 
certifying authority and will herein be called the certifying 
authority. It is noted that in some applications more than one 
certifying authority may exist. Moreover, the certifying 
authority may, or is even likely to change from time to time 
during the life of the device and/or the application. In reality 
the certifying authority is likely to be one or more human 
beings, a business entity or part thereof, and/or a computer 
or combinations of these. 

In one embodiment the invention is implemented using 
the following approach. A 'certifying authority' is identified. 
The 'certifying authority' is a central authority that is trusted 
by all parties that need to trust the provable un tampered state 
assuredness of a secure device. Identifying and having this 
authority be the manufacturer of the device offers several 
natural advantages. Firstly, since the manufacturer bears 
responsibility for the untampered state of the circuitry and 
permanent firmware in the device, all parties need to trust 
the manufacturer anyway. Secondly, the certifying authority 
must be one that possesses both the motivation and the 
ability to determine whether a device (without provable 
untampered state assuredness) is indeed genuine and untam- 
pered. The manufacturer, having just built the device, is in 
the best position to assert this. 

Once the 'certifying authority' has been identified the 
device goes through the steps of 'initialization', 'keypair 
generation', 'certification', 'shipment and use'. Some 
devices also go through the steps of 'regeneration' and/or 
'recertification'. Initialization is performed tn the presence 
of the certifying authority, whereupon the device has its 
tamper-response circuitry enabled. From this point onward, 
the device zeroizes its secrets upon tamper. 

Generally, keypair generation follows initialization, 
whereupon the device generates, or requests, a truly random 
key pair. This may employ RSA, DSS or any other public- 
key or authentication algorithms. The keypair includes a 
private key and a public key. The device retains the so 
generated private key within secure memory. Often, the 
keypair is generated using an internal source of real, non- 
deterministic randomness. This is followed by certification, 
wherein the device then exports its public key to the certi- 
fying authority, in a way such that the authority can verify 
that the public key did indeed emerge from the alleged 
device. A simple way to do this is in a clean room at the 
manufacturing facility. 

The certifying authority assembles a certificate containing 
the device's public key, and any desired relevant identifying 
information about the device and its properties. The author- 
ity signs this certificate with its own private key, then returns 
it to the device. The device is ready for shipment and use. 
From this point onward, the device has the ability to prove 
that it is untampered by demonstrating that it knows the 
private key matching the public key contained in the cer- 
tificate. 

This is usually accomplished by using public key signa- 
tures. 

In some embodiments the device is able to perform key 
regeneration. In this situation, the device can cause itself to 
generate a new key pair. This is performed in accordance 
with, and determined by policy. Regeneration uses its old 
private key to sign a transition certificate asserting the 
change from the old public key to a new public key. It then 
erases the old private key. The device retains the newly 
generated private key within its secure memory. 

A chain of transition certificates, rooted in a certifying 
authority certificate, then suffices to establish the public key 
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of the untampered card. This may be followed by 
recertification, wherein the device then exports its new 
public key to the certifying authority, in a way such that the 
authority can verify that the key did indeed emerge from the 

5 alleged device. At any point (again, determined by policy), 
the certifying authority uses the steps of this invention to 
authenticate an untampered device, and to re-issue a new 
certificate for that device, attesting to the latest public key at 
that device. With the appropriate choice of policy which 

1Q determines what constitutes a valid key pair, both regenera- 
tion and recertification can ensure that no one needs to 
depend on a permanent key pair. 

FIG. 1(a) shows an apparatus embodiment of the present 
invention. The apparatus has an input and an output, and 
includes a memory 101 for storing code, secrets and opera- 

15 tion data. It has a tamper circuit 100 responsive to a 
tampering phenomenon and coupled to the memory 101. 
The tamper circuit 100 is capable of being enabled by a 
certifying authority to respond to the tampering phenom- 
enon. Sometimes, the memory includes all the volatile and 

20 non-volatile memory in the apparatus. Generally, there are 
three kinds of memory. These are volatile DRAM, non- 
volatile SRAM and non-volatile EEPROM. In a particular 
embodiment, only the first two are zeroized when a tamper 
phenomenon is detected. 

25 The certifying authority has an authority private key 
known to the apparatus. The apparatus also has a key pair 
generator 103 which generates a device key pair for the 
apparatus. It is advantageous for the device key pair to be 
generated using an internal source of non-deterministic 

30 randomness and/or to regenerate a new key pair in response 
to a predetermined event. The predetermined event includes 
a particular time lapse, a reload of cryptographic software, 
an amount of apparatus usage and/or a tampering detection. 
The device key pair includes a device private key and a 

35 device public key which are stored in the memory 101. The 
device key pair generator 103 is capable of exporting the 
device public key via the output to the certifying authority 
such that the certifying authority is enabled to perform a 
verification that the device public key emerged from the 

40 apparatus, and that the apparatus was not attacked by the 
tampering phenomenon. When the verification is successful 
the certifying authority is able to certify that the apparatus is 
in an untampered state. Often, the certifying authority is a 
manufacturer of the apparatus. 

45 In some embodiments the untampered state is certified by 
the certifying authority signing a first certificate with the 
authority private key. The first certificate includes the device 
public key and at least one identifying property of the 
device. The certifying authority issues the first certificate 

50 which becomes available to a third party for use in estab- 
lishing that the device is in the untampered state. 

In some embodiments the device also includes a zeroizing 
circuit 105 capable of erasing a portion of the memory 101 
upon the tamper circuit 100 detecting an occurrence of the 

55 tampering phenomenon. It may also include a verifier for 
oulputting a proof of its being in the untampered state by 
exhibiting a knowledge of the device key pair, and/or a 
transition certificate producer which produces a transition 
certificate which certifies the authenticity of the new key 

50 pair. The device may have a chain of transition certificates 
to which each transition certificate is added. It is advanta- 
geous for the apparatus to use the device private key to sign 
the transition certificate which asserts a change from the 
public key to a new public key, and/or to have chain of 

65 transition certificates shown to be rooted in the first certifi- 
cate so as to maintain the continuity of the untampered state. 
Sometimes, the device private key is erased. 
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It is advantageous for the apparatus to have a recertifier 
107 for enabling the certifying authority to recertify the 
apparatus. The recertifier may be used to authenticate the 
untampered slate, provide a recertification of the untam- 
pered state, and to attest to the public key. Sometimes, the 
first certificate purposely has a finite life, and the recertifi- 
cation is performed at predetermined intervals prior to an 
end of the finite life. 

The apparatus may include a reinitialization circuit 109 to 
perform reinitialization of its circuitry and/or memory 101. 
All the components of the apparatus may be interconnected 
with a connecting cable harness 104. These circuits are 
implemented as known to those skilled in the art and/or 
described in the below referenced documents. 

An array of specific implementing embodiments for vari- 
ous scenarios is described subsequent to the following 
important considerations. It is noted that this invention 
exploits the foundation of physical security. This requires 
that any tamper causes the internal secret portions of 
memory in the device to be erased. However, in order for the 
invention to be effective, this foundation must be ensured to 
be effective. Thus the invention implementation takes sev- 
eral precautions. This includes using special software archi- 
tecture that ensures that the private key indeed remains 
private. This is especially required in the face of potentially 
permeable system software. It also includes regularly invert- 
ing the stored secrets, to avoid imprinting the device's 
SRAM with long-term storage. 

Alternate embodiments enable the device to be shipped 
without its tamper-response enabled, and/or to re-initializc 
and certify devices that have been erased or zeroized. In 
these situation, the method and apparatus of the present 
invention is modified in two ways. Firstly, steps are taken to 
authenticate that the exported public key really came from 
the alleged device. One way to do this is to use hidden 
symmetric keys which do not get erased when the device is 
zeroized. This is described in the above cross referenced 
document, attorney docket number Y0997-257, entitled, 
"Authentication for Secure Devices With Limited Cryplol- 
ogy." Secondly, fields in the device's certificate may be used 
to assert that the device was initialized in a substandard way. 

Particular software is often used to restrict access of the 
device's central private key only to trustworthy code in the 
device. It is advantageous to use a code downloading 
approach which allows on-board programs to use the 
device's provable untampered state as a foundation for 
authenticating their identity and the fact that they are run- 
ning in a trusted hardware and software environment. That 
is to say, the device is untampered and running the particular 
software the authority expects it to be running, and one has 
the right to believe that the real device is doing the right 
thing. 

The present invention solves the central problem of 
providing a computational means for an untampered secure 
device to prove that it's untampered. However, the present 
invention also provides additional advantages. This 
invention, especially if the implementation uses the manu- 
facturer as the certifying authority, minimizes the number of 
parties that one must trust in order to trust in the alleged 
untampered state of a device. When a device is physically 
encapsulated, one is forced to trust the party that did the 
encapsulation. But with this invention, one need not trust 
anyone else. This includes personnel at the user site. In the 
previous example of the electronic wallet, the present inven- 
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Another advantage of the present invention is the sim- 
plicity of shipping and installation of a device. This is 
because the device carries its own key pair and certificate 
with which it is always able to prove its authenticity by 
5 itself. In particular, the manufacturer does not need to ship 
extra data out-of-band, nor send trusted engineers to the 
installation site, nor retain any database of user/device data. 

Still another advantage of the present invention is that 
there are no backdoors through which a device is tamperable 
10 without preventing the discovery of any device secrets. This 
avoids the scenario where tampering of the device causes it 
to be zeroized, but the device keys being nevertheless 
discoverable. This is because the device's keys are generated 
internally to the card by real randomness. Thereby a device 
user can always ascertain that the device's private key has 
never been compromised outside of the device. 

Still another advantage of the present invention is its 
providing disaster protection. Nothing inside a zeroized 
device can enable an attacker to impersonate or attack that 
device. Furthermore, should the tamper response in a device 
fail to work, an attacker's determination of that device's data 
only enables the attacker to impersonate that particular 
device. No other device is threatened by this determination. 

Another advantage of the present invention is that there 
are no permanent keys. This is because in accordance with 
the present invention each device generates its own key pair. 
Also, no device key in the system is forced to be permanent 
in so much that the key pairs may be regenerated in response 
to an event. The event is often predefined. For example, it 
may be defined to occur upon an external command or 
request, a reload of cryptographic software and/or the pas- 
sage of a fixed or random lime interval. Furthermore, the 
keypair belonging to the certifying authority does not need 
to be permanent. 

Actual embodiments of the present invention are depen- 
dent upon the particular scenario being implemented. A 
authority could be a third party, distinct from the manufac- 
turer and the end user. If there exists a secure path 
(equivalent to trusted armed guards) between the manufac- 
turer and this third party, then the third party is essentially 
an extension of the manufacturer. Otherwise, the third party 
must first verify the veracity of all the data loaded in the 
device. 

The certifying authority also verifies that the device 
knows the private key thai matches the public key it is 
claiming (112). This is accomplished by using standard 
public key cryptography techniques known to those skilled 
in the art. If these verifications (110, 112) succeed, the 
certifying authority then composes a device certificate which 
verifies the validity and security of the device, and its being 
in an untampered state. The device certificate contains the 
device's public key, the device's security level, and any 
other desired identifiers and data (114). The certifying 
authority signs this certificate with the certifying authority's 
own private key (116). 

The certifying authority then needs to ensure that this 
certificate can reach any party to whom the device wishes 
variety of scenarios showing typical utilizations of the 
present invention are described. The first scenario is an 
implementation of initial device certification. A flow dia- 
gram is shown in FIG. 1(b). In the first step to certify the 
device the certifying authority (usually the manufacturer) 
enables the tamper-response circuitry in the device (102). In 
most embodiments, once enabled, this circuitry cannot sub- 
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lion precludes a user of the wallet from attacking the wallet 65 sequently be disabled, 
in order to convince someone else that this user's 'bottom- The device then uses an internal source of true random- 
less' wallet is running on an untampered device. ness to generate its initial keypair. The keypair includes a 
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random public key and a random private key (104). It is always has a list of transition certificates, but this list is 

advantageous that the internal source be a true random initially empty. The device stores these certificates and 

number generator. The device stores the private key exports them along with the signed statement. An alternate 

internally, in secure memory. The secure memory is pro- embodiment docs this using any transmission route to the 

tected by the tamper-response circuitry (106). The device 5 agent from the certifying authority. Information goes from 

exports its public key (108) to the certifying authority. At thc creators of the certificates to the agent. The creator of the 

this point, the certifying authority verifies that the public key transition certificate is the device itself. For example, each 

really originates from an authentic, tmtampered device £ published in some pubhc repository 

(110). It is advantageous that the manufacturer be the upon creation. A w ^ server is a typical repository, 

certifying authority so that this verification follows directly to ^ *«? nccds t0 ^ < hc Sl &^ture on the signed 

, J , V , <. , . . ., j * .„.._/ statement. This is accomplished by employing a signature 

from the fact that this device was jus. omit and is still inside verificalion lechnique . fa H one embodiment mis technique is 

the manufacturers vault. However, the certifying to be p erforme d as foUows. Consider that the group of certificates 

authenticated. In one implementation the certifying author- are ordcrcd m a sequence, ut CERT(0) denote thc device 

ity docs this by sending the certificate to the device (118). certificate, and CERT(1) through CERT(N) be thc transition 

The device may thenceforth be requested to present thc 15 certificates. The agent does three things. Firstly, the agent 

certificate and/or the information contained in it to the verifies the signature on CERTfO) against the published 

requesting party. In an alternate implementation, the certi- public key for the certifying authority (312). Secondly, for 

fying authority publishes the certificate in a public reposi- each ( i>l\ the agent verifies the signature on CERT(i) 

tory. against he public key contained in CERT(i-l) (314). 

The device then verifies that the certificate came from the 20 Thirdly, the agent verifies the signature on the signed 

certifying authority (120). In one implementation, this is statement against the public key in the final certificate in this 

achieved as a direct consequence of the device still residing sequence (316). If these verifications are successful and the 

inside the protected manufacturing vault. In an alternate statement contains the nonce (318), then the agent accepts 

implementation, the device has implicitly authenticates the the device as being untampered (320). This completes the 

authority as part of a secret key authentication technique. 25 proof of the device's untampered slate. 

The device then stores the certificate inside its internal There are some alternates to this approach. In one 

non-volatile memory (122). This memory is not necessarily alternate, the presence of the nonce is used to convince the 

secure. This completes the initial certification of the device. agent that the device with which it is currently interacting is 

FIG. 2 shows a scenario to implement a regeneration of untampered. In cases in which this property is not critical, 
the device keypair in accordance with the present invention. 30 the steps using the nonce (302, 318) can be omitted. Stronger 
Adevicc regenerates its keypair based on an explicit request, authentication techniques (such as zero-knowledge 
as an atomic (defined below) part of another operation, schemes) can also be used in place of the public-key 
and/or based on some periodic or (often purposefully) signature approach described above, 
nondcterministic event. To regenerate its own keypair, the FIG. 4 shows an implementation of a scenario for per- 
device uses an internal source of true randomness to gen- 35 forming reccrtification in the field in accordance with the 
erate a new keypair (202). The device then composes a present invention. FIG. 4 shows how a certifying authority 
' transition certificate', which includes the new public key of can recertify an untampered device as follows. The certify- 
that device, and any other desired additional explanatory ing authority has the device in question prove its untampered 
information (such as the old public key of that device, why stale (402). This is accomplished as shown in FIG. 3. In 
this regeneration occurred) (204). The device Ihen signs the 40 some situations the authority supplements this technique 
transition certificate with its old private key (206). The with such things as examination of the device's physical 
device then commits to this new keypair by atomically condition and chain of custody. The certifying authority then 
performing three actions. It deletes the old private key (210). composes a new device certificate, attesting to the current 
It establishes the new keypair as the current keypair (212). device public key, device security level, and any other 
Finally, it appends the transition certificate to the device's 45 relevant information (404). The certifying authority signs 
list of transition certificates in the devices'nonvolatile this new device certificate with the authority's current 
memory (214). The list of transition certificates is initially private key (406), and sends this back to the device (408). 
empty. In some embodiments these actions are not per- The device verifies that this new certificate came from an 
formed atomically. authority permitted to recertify that device (410), and stores 

A process is herein referred to as being performed 50 this certificate as its new device certificate (412). It is noted 
'atomically', when to any observer, either all of these actions that this approach docs not require that the certifying author- 
appear to happen, or none of them do, despite failures such ity who recertifies the device to be the same as the certifying 
as power loss during the operation (208). Thus thc three authority who initially certified the device, 
steps 210, 212 and 214 form an atomic operation. With Alternatives to the approach of FIG. 4 include the fol- 
regard to an observer, the three are all performed or none is 55 lowing. In one alternative, the device also does additional 
performed. sanity checking on the new certificate before accepting it. 

A scenario for implementing a proof of untampered slate For example, if the device had sufficient computing power 

is shown in FIG. 3. FIG. 3 shows that in order for a device and program space, the device could check that the new 

to prove its untampered state to an external agent, the agent certificate is of the proper format, is properly signed, and 

first presents the device with a nonce (302). A nonce is some 60 really attests to that device's current public key. 

data which the agent is confident could not have been In another alternative, the device could also retain the 

predicted by an adversary. The device then composes a previous device certificate, or indeed have more than one 

statement which includes this nonce (304). It signs this certificate active at any particular point in time. For 

statement with its private key (306), and exports this slate- example, the device might participate in multiple 

ment to the agent (308). 65 applications, each of which has its own central certifying 

The agent now obtains the device's device certificate and authority. In this situation, the device uses a separate cer- 

transilion certificates (310). In one embodiment, the device tificatc chain for each application. 
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A scenario for recertification in the field, with regenera- 
tion of the certificate authority keypair is implemented as 
shown in FIG. 5. The certifying authority that produced a 
device's current device certificate can combine recertifica- 
tion of the device with regeneration of the authority's own 
keypair as follows. As shown in FIG. 5, the authority first 
regenerates its own keypair (502). Then, the certifying 
authority has the device in question prove its untampered 
state (504). This may be accomplished using a process like 
that shown in FIG. 3. In doing so, the authority makes 
certain that the device uses signatures based on keypairs that 
the authority still believes are valid. In some embodiments, 
this is a matter of policy. The authority may choose to 
supplement this technique with such things as examination 
of the device's physical condition and/or chain of custody. 

The certifying authority then composes a new device 
certificate, attesting to the current device public key, device 
security level, and any other relevant information (506). The 
certifying authority signs this new device certificate with the 
authority's new private key (508), and sends this back to the 
device (510) for storage in its memory. The device verifies 
that this new certificate came from an authority permitted to 
recertify that device (512), and stores this certificate as its 
new device certificate (514). 

As discussed in the generic recertification scenario, in 
some embodiments the device does additional sanity check- 
ing on the new certificate before accepting it, and/or the 
device retains the previous device certificate, and/or the 
device has more than one certificate active at any particular 
point in time. 

FIG. 6 shows how a device might pass through the various 
scenarios in its lifetime. In 602, the device goes through the 
steps of 'initialization', 'keypair generation', and 'certifica- 
tion'. The device is then ready for normal use, 604. At this 
point, a tamper event will cause the device to zeroize its 
secrets, and enter a 'tampered' stale (614), from which it 
could be returned to 602, should policy and implementation 
decisions allow that.) However, during normal, untampered 
use (604), the device can then undergo 'regeneration' (606), 
'recertification' (608). Often regeneration may be followed 
be certification. The CA can also regenerate its own keypair 
and then recertify the device (610). The Device can also 
prove thai is in an untampered state (612). It is noted that for 
the most part item 602 matches FIG. 1(b), item 606 matches 
FIG. 2, item 612 matches FIG. 3, item 60S matches FIG. 4, 
and item 610 matches FIG. 5). 

A challenge remains in finding a way to verify the 
untampered state of a device that is not yet ready for this 
invention. A number of situations have been identified where 
it is necessary to verify the untampered state of a device, but 
where this invention cannot be used. To address this, a 
technique called "Secret Key Authentication" (SKA) has 
been invented. This is described in above cross-referenced 
application, attorney docket number Y0997-257, entitled, 
"Authentication for Secure Devices With Limited 
Cryptography", by inventors M. S. Matyas et al. It is noted 
that it is most advantageous to use this invention in com- 
bination with the Hardware Locks memory protection tech- 
nique described in the same cross referenced application. 
Hardware Locks provides a software architecture which 
ensures that the private key indeed remains private. This is 
especially important in the face of potentially permeable 
system software. Hardware Locks also ensures that the 
stored secrets are regularly converted and/or inverted so as 
to avoid imprinting the Memory (SRAM) on the device with 
long-term storage. 

The following documents are incorporated herein by 
reference: U.S. Pat. No. 4,860,351, entitled, "Tampcr- 



10 



15 



20 



25 



30 



35 



40 



45 



55 



60 



Resistant Packaging for Protection of Information Stored in 
Electronic Circuitry", by S. H. Weingart, issued Aug. 22, 
1989; U.S. Pat. No. 5,159,629, entitled, "Data Protection by 
Detection of Intrusion into Electronic Assemblies", by G. P. 
Double and S. H. Weingart, issued Oct. 27, 1992; Federal 
Information Processing Standards Publication 140-1, "Secu- 
rity Requirements for Cryptographic Modules" US Depart- 
ment of Commerce/National Institute of Standards and 
Technology, Jan. 11, 1994; "Applied Cryptography", by B. 
Schncier, 2nd edition, Wiley and Sons, New York, 1996, 
ISBN # 0^71-12845-7. These are incorporated herein for 
many purposes, including the enablement of tamper 
resistance, key generation and other circuits in the present 
invention. 

An application filed concurrently with this application, 
attorney docket number Y0997-157, entitled, "Securely 
Downloading and Executing Code From Mutually Suspi- 
cious Authorities", by inventors S. W. Smith et al., provides 
a system, method and apparatus for secure code download- 
ing. It restricts access of the device's central private key only 
to trustworthy code in the device. The code downloading 
approach disclosed allows on-board programs to use the 
device's provable untampered slate as a foundation for 
authenticating themselves as running in a trusted environ- 
ment. 

It is noted that this invention may be used for many 
technologies and applications. These include any secure 
processor technology in such areas as banking, secure busi- 
ness transactions, secure databases etc. applications include 
electronic commerce, information privacy and integrity, etc. 
It is required in future type smart cards provided with 
enough resources to support the invention. Thus, although 
the description is made for particular arrangements and 
applications, the intent and concept of the invention is 
suitable. It will be clear to those skilled in the art that other 
modifications to the disclosed embodiments can be effected 
without departing from the spirit and scope of the invention. 

What is claimed is: 

1. A device having an input and an output, said device 
comprising: 

a memory; 

a tamper circuit coupled to said memory and being 
responsive to a tampering phenomenon, such that a 
certifying authority can determine an occurrence of 
said phenomenon, said certifying authority having an 
authority public key known to said device; 

a key pair generator which generates a device key pair for 
said device, said device key pair includes a device 
private key and a device public key which are stored in 
said memory, said device key pair generator is capable 
of exporting said device public key via said output to 
said certifying authority such that said certifying 
authority is enabled to perform a verification that said 
device public key emerged from said device, and that 
said device was not attacked by said tampering 
phenomenon, and whereupon said verification being 
successful said certifying authority is able to certify 
that said device is in an untampered state, wherein said 
device key pair generator regenerates a new key pair in 
response to a predetermined event; and 

a transition certificate which certifies an authenticity of 
said new key pair. 

2. Adevice as recited in claim 1, wherein said untampered 
state is certified by said certifying authority by: 

signing a first certificate with said authority private key, 
said first certificate includes said device public key and 
at least one identifying property of said device; and 
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issuing said first certificate which becomes available to a a key pair regenerator for forming a new key pair, upon 

third party for use in establishing that said device is in an occurrence of a predetermined event, where said key 

said untampered state. pair includes a new public key and a new private key. 

3. A device as recited in claim 1, wherein said certifying 20. A device as in claim 19, further comprises a re certifier 
authority is a manufacturer of said device. 5 for exporting said new public key to said certifying authority 

4. A device as recited in claim 1, wherein said device key such as to enable said certifying authority to verify said new 
pair is generated using an internal source of non- public key and certify thai said new public key emerged 
deterministic randomness. from said device and that said device is untampered. 

5. A device as recited in claim 1, further comprising a 21. A device as in claim 19, wherein at least a portion of 
verifier for outputting a proof of its being in said untampered JQ said memory is zeroized upon said tamper responsive circuit 
state, by exhibiting a knowledge of said device key pair. detecting a tampering event. 

6. A device as recited in claim 1, wherein said device key 22. A device as in claim 21, wherein said device further 
pair generator regenerates a new key pair in response to a comprises a memory disaster protection circuit for stopping 
predetermined event. an attacker from impersonating said device. 

7. A device as recited in claim 1, wherein said device has 23. A device as in claim 21, further comprising a 
a chain of transition certificates, and said transition certifi- 15 re-initialization circuit for reinitializing said device to an 
cate is added to said chain of transition certificates. operative state following said device being zeroized in 

8. A device as recited in claim 6, wherein said predeter- response to said tampering event. 

mined event is a reload of cryptographic software. 24. A device as in claim 21, wherein said reinitialization 

9. A device as recited in claim 1, further comprising a circuit employs hidden symmetric keys. 

zeroizing circuit capable of erasing a portion of said memory 20 25. A device as in claim 23, wherein said certification 

upon said tamper circuit detecting an occurrence of said circuit marks a particular data field in a certificate verifying 

tampering phenomenon. said device - to indicate that said device was initialized in a 

10. A device as recited in claim 9, wherein said memory substandard manner. 

includes all non-volatile memory in said device. 26. A method for a certifying authority to certify an 

11. A device as recited in claim 1, further comprising a untampered state of a device, said method comprising: 
recertifier for enabling said certifying authority to authenti- providing a tamper circuit being responsive to a tamper- 
catc said untampered state, provide a recertification of said ing phenomenon; 

untampered state, and attest to said public key. a certifying authority determining an occurrence of said 

12. A device as recited in claim 11, wherein said first 3Q phenomenon, said certifying authority having an 
certificate has a finite life, and said recertification is per- authority public key known to said device; 

formed at predetermined intervals prior to an end of said generating a device key pair for said device, said device 

finite life, key pair including a device private key and a device 

13. A device as recited in claim 1, wherein said device public key which are stored in said memory; 

uses said device private key to sign said transition certificate 35 exporting said device public key to said certifying author- 

which asserts a change from said public key to a new public j t y ; 

key- enabling said certifying authority to perform a verification 

14. A device as recited in claim 13, wherein said device that Mid p ubIic kcy cmcrgcd from said dcvicCi 

private key is erased. ^ mat device was not attacked by said tampering 

15. An apparatus as recited in claim 13, wherein said ^ phenomenon, and whereupon said verification being 
transition certificates are shown to be rooted in said first successful said certifying authority certifying that said 
certificate so as to maintain said untampered state. device is in an untampered state; 

16. A device as recited in claim 15, further comprising a rcgCD crating a new key pair in response to a predeter- 
recertifier for enabling said certifying authonty to recertify mined cvcn( . and 

said device. - - c *5 generating a transition certificate certifying authenticity 

17. A device as recited in claim 16, wherein said recertifier & ^ sajj new kev Dair 

authenticates said untampered state, provides a recertifies- 2? A method JP ^ 2fi wherein ^ 

t.on of said untampered state and attests to said public key. w fc a mam|facture of the device 

18. A device as recited in claim l^wherein said tampering 2g £ mcthod ^ ^ ^ 26 wfacrcin &ajd of 
phenomenon is such as to cause the device to undergo an $q ^ is ^ onnai l0 said dcvicc . 

action that triggers tamper-response zeroization. ~ n A . • , • . • . , f 

m * _. ■ L • u- u ■ 1 j j . 29. A method as m claim 28, wherein said step of 

19. A device havmg a memory which includes data ^ is by a randora kcy pair gcncrator . 
required to be erased upon a tampering attempt, said dev 1C e 3Q A mctho(j ^ fa ^ ^ cnsuring 

comprising. s ^ dcv i ce cer tificate is available to a user to whom the 

a tamper responsive circuit havmg an enabling capability; 5g devic£ wishes , Q fee authenlicated . 

a certifying authority; 31 A method as in claim 30, wherein said step of ensuring 

an initialization circuit wherein said certifying authority ^ implemented by the certifying authority sending said 

enables said tamper responsive circuit using said certificate to the device. 

enabling capability; 32. A method as in claim 31, further comprising said 

a first key pair generator for generating a public key made 60 device authenticating that said certificate came from said 

available to a plurality of third party users, and for certifying authority. 

generating a private key retained in said memory; 33. A method as in claim 32, wherein said step of 

a certification circuit for exporting said public key to said authenticating is implemented using a secret key authenti- 

certifying authority such as to enable said certifying eating technique. 

authority to verify said public key, to certify that said ss 34. A device having a memory which includes data 

public key emerged from said device, and to certify that required to be erased upon a tampering attempt, said device 

said device is untampered; and comprising: 
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a tamper responsive circuit having an enabling capability; 
a certifying authority; 

an initialization circuit wherein said certifying authority 
enables said tamper responsive circuit using said 
enabling capability; 

a first key pair generator for generating a public key made 
available to a plurality of third party users, and for 
generating a private key retained in said memory, and 

a certification circuit for exporting said public key to said 
certifying authority such as to enable said certifying 
authority to verify said public key, to certify that said 
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public key emerged from said device, and to certify that 
said device is untampered, wherein at least a portion of 
said memory is zeroized upon said tamper responsive 
circuit detecting a tampering event; 
a re-initialization circuit for reinitializing said device to an 
operative state following said device being zeroized in 
response to said tampering event, wherein said certifi- 
cation circuit marks a particular data field io a certifi- 
cate verifying said device, to indicate that said device 
was initialized in a substandard manner. 
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